
FIGURE 1 



Receive at a first sensor the belief state of 
another sensor in the intrusion detection 
system. 



t 

Adjust a prior belief state of the first 
sensor, the adjustment based at least in 
part on the other sensor's belief state. 




FIGURE 2 
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FIGURE 3 



Identify a set of potentially similar features shared by a 
new alert and one or more existing alert classes. 



Generate or update an expectation of similarity between 
the features of the new alert and the features of one or 
more existing alert classes. 



Generate or update a minimum similarity requirement for 
the features of the new alert and the features of one or more 
existing alert classes 



Perform a comparison between the new alert and the 
existing alert class(esX 




Associate the new alert 
with the existing alert 
class that it most closely 
matches. 



Define a new alert class to 
include the new alert. 



FIGURE 4 
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Figure 5 




Figure 6 
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EMERALD Development Project 
System Design Laboratory 



Observer Name: eaggregate 
Observer Location: hiilsdalexsUH^m 
Observer Source: realtime 
Local Host Time: 01/02/01 13^)9:13 PST 
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Figure 7 




Figure 8 
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